IAP + CDN #301
IAP + CDN #301
Conversation
k8s-ci-robot
added
size/XL
|
Thanks @rramkumar1 looking forward to this :D. |
rramkumar1
force-pushed
the
iap-cdn-work
branch
2 times, most recently
from
eb877ac
to
8c60a7b
Compare
|
/assign @MrHohn |
pkg/annotations/service.go
Outdated
| @@ -120,7 +122,9 @@ func (svc Service) GetBackendConfigs() (*BackendConfigs, error) { | |||
| return nil, err | |||
| } | |||
| if configs.Default == "" && len(configs.Ports) == 0 { | |||
| return nil, fmt.Errorf("no backendConfigs found in annotation: %v", val) | |||
| // We return an error here because if the annotation exists | |||
| // but has nothing in it, the user probably wanted to use it. | |||
pkg/backends/features/cdn.go
Outdated
| @@ -0,0 +1,71 @@ | |||
| /* | |||
| Copyright 2015 The Kubernetes Authors. | |||
| be.EnableCDN = beConfig.Spec.Cdn.Enabled | ||
| // Apply the cache key policies | ||
| cacheKeyPolicy := beConfig.Spec.Cdn.CachePolicy | ||
| be.CdnPolicy = &composite.BackendServiceCdnPolicy{CacheKeyPolicy: &composite.CacheKeyPolicy{}} |
There was a problem hiding this comment.
Curious is it valid to have be.EnableCDN=false but be.CdnPolicy=non-nil?
There was a problem hiding this comment.
Yep. If the user disabled CDN but provided cache policies, then we will act on it accordingly.
| // made to actually persist the changes. | ||
| func applyCDNSettings(sp utils.ServicePort, be *composite.BackendService) { | ||
| beConfig := sp.BackendConfig | ||
| setCDNDefaults(beConfig) |
There was a problem hiding this comment.
So this is applying defaults to backendConfig but not backendService, I was confused :)
There was a problem hiding this comment.
Yep, we apply defaults to the BackendConfig so that in the apply[IAP,CDN]Settings functions we don't have to have ugly nil checks.
pkg/composite/composite.go
Outdated
| @@ -240,6 +240,13 @@ func (be *BackendService) toAlpha() (*computealpha.BackendService, error) { | |||
| if err != nil { | |||
| return nil, fmt.Errorf("error unmarshalling BackendService JSON to compute alpha type: %v", err) | |||
| } | |||
| // Set force send fields. This is a temporary hack. | |||
| if alpha.CdnPolicy != nil && alpha.CdnPolicy.CacheKeyPolicy != nil { | |||
| alpha.CdnPolicy.CacheKeyPolicy.ForceSendFields = []string{"IncludeHost", "IncludeProtocol", "IncludeQueryString", "QueryStringBlaclist", "QueryStringWhitelist"} | |||
There was a problem hiding this comment.
QueryStringBlaclist -> QueryStringBlacklist, same for below.
pkg/backends/features/iap.go
Outdated
| if be.Iap == nil || beTemp.Iap.Enabled != be.Iap.Enabled || beTemp.Iap.Oauth2ClientId != be.Iap.Oauth2ClientId || beTemp.Iap.Oauth2ClientSecretSha256 != be.Iap.Oauth2ClientSecretSha256 { | ||
| glog.V(3).Infof("BackendService is %+v", be) | ||
| applyIAPSettings(sp, be) | ||
| glog.V(3).Infof("Updated IAP settings for service %v/%v.", sp.ID.Service.Namespace, sp.ID.Service.Name) |
There was a problem hiding this comment.
Maybe V(2)? Seems worth to log it if an update is needed.
Also Updated might not be accurate? As the actual update will happen after this.
pkg/backends/features/iap.go
Outdated
| // since that field is redacted when getting a BackendService. | ||
| beTemp.Iap.Oauth2ClientSecretSha256 = fmt.Sprintf("%x", sha256.Sum256([]byte(beTemp.Iap.Oauth2ClientSecret))) | ||
| if be.Iap == nil || beTemp.Iap.Enabled != be.Iap.Enabled || beTemp.Iap.Oauth2ClientId != be.Iap.Oauth2ClientId || beTemp.Iap.Oauth2ClientSecretSha256 != be.Iap.Oauth2ClientSecretSha256 { | ||
| glog.V(3).Infof("BackendService is %+v", be) |
There was a problem hiding this comment.
Oops, was debugging something and forgot to delete.
pkg/backends/features/iap.go
Outdated
| // and applies it to the BackendService if it is stale. It returns true | ||
| // if there were existing settings on the BackendService that were overwritten. | ||
| func EnsureIAP(sp utils.ServicePort, be *composite.BackendService) bool { | ||
| if sp.BackendConfig == nil { |
There was a problem hiding this comment.
I might be missing something...How is the disable case handled? Similar question for CDN as well.
There was a problem hiding this comment.
Discussed this offline but we should probably document that user should remove the annotation from the service first?
rramkumar1
force-pushed
the
iap-cdn-work
branch
2 times, most recently
from
6ef255a
to
84f8b94
Compare
rramkumar1
force-pushed
the
iap-cdn-work
branch
4 times, most recently
from
c93320f
to
0dc0865
Compare
| nodePool: nodePool, | ||
| healthChecker: healthChecker, | ||
| namer: namer, | ||
| backendConfigEnabled: backendConfigEnabled, |
There was a problem hiding this comment.
Might be worth to separate this out to another PR if we can't get this in soon..
k8s-ci-robot
added
the
lgtm
|
w00w00! thanks all :D |
|
@ConradIrwin Note that this is not officially available yet. It will only be released when we cut a new ingress-gce release, which will be 1.2.0 |
|
Noted, thank you. Do you have an estimate on that timeline? I'm just excited to see you're working through the backlog of feature requests :). (and I'd cheekily put another nudge in for #33, but don't block shipping this on implementing that :D) |
|
@ConradIrwin A very conservative estimate would be early July. |
|
We shouldn't use abbreviations in names in APIs unless they are extremly common: CDN might fit the bill but IAP does not. If we do use abbreviations, they should be all caps in the go types. |
This is the last PR for IAP + CDN integration.
TODO's in separate PR's:
1. Need to write an e2e test using new test framework.
2. Need to add more unit tests to verify behavior.
This change is